Rogue AVs have not really taken much attention recently probably because they are no longer boldly screaming in everyone’s faces as compared to the time when the most trending topics produce massive amounts of blackhat SEO-poisoning URLs.
So where are they lurking nowadays?
They are still using the SEO-poisoning method, of course. They would need to gain some visibility after all. But in addition to the usual compromised domains, they are now happily residing in Tumblr.
The screenshot below is taken from one of the several rogue-pushing Tumblr accounts:
And well, as an internet user, when we are presented with a video and a play button in the middle what do we do? We click it! Right? And the video will promptly play… well, not this time. That “video” is actually an image. So, that innocent click activates the malware and will take you to a page which redirects to an exploit page and finally to a rogue AV.
It exploits the Java vulnerability CVE-2012-0507 and Adobe Reader vulnerabilities CVE-2008-2992, CVE-2007-5659, and CVE-2010-0188.
Successful exploitation currently leads to a rogueware called Windows Performance Adviser.
So? tip of the day? If those wonderful videos are not on a trusted domain? don’t click them?. But? but? Just don’t. 😉
Leave a reply